Dustin D. Trammell Security Research BreakingPoint Systems, Inc. Computer Academic Underground

Transcription

1 Dustin D. Trammell Security Research BreakingPoint Systems, Inc. Computer Academic Underground

2 About Me Dustin D. Trammell a.k.a. I)ruid Employed by BreakingPoint Systems, Inc. Founder, Computer Academic Underground Co-Founder, AHA! (Austin Hackers Association) Contributor, VoIP Security Alliance

3 About this Presentation Attacks discussed are either recent or significant Making the case that attack tools are available and mature Divided into three sections: Briefly, VoIP Basics Attacks (Vulns, Attacks, Impact, Tools, Mitigation) Problems with suggested mitigation actions I ll be discussing only technical attacks

4 Legend Attack Classes Attack against Availability Attack against Integrity Attack against Confidentiality Currently Un-patched Example / Demo Attack Tool References

5 Notes on Mitigation Often there are no clear-cut solutions to any vulnerability or attack I will refrain from using the isolate your VoIP network cop-out solution Some mitigation techniques suggested do work; In part three, I ll only be discussing: Those that don t work well Those that have significant drawbacks Those that have significant barriers to implementation

6 VoIP Basics VoIP for the uninitiated...

7 Terminology VoIP - Voice over Internet Protocol Call - the session aggregate of signaling and media between endpoints Endpoint - Point where a call terminates Soft-phone - VoIP phone implemented entirely in software Hard-phone - VoIP phone with a physical presence, also sometimes referred to as a handset PSTN - Public Switched Telephone Network, or your traditional telephony networks.

8 Signaling vs. Media Separate channels for signaling information vs. media (bearer) data due to abuse Adopted from traditional telephony systems Some protocols like IAX/IAX2 combine these into a single channel

9 Protocols & Ports Signaling Session Initiation Protocol (SIP) : TCP/UDP 5060,5061 Session Description Protocol (SDP) : Encapsulated in SIP Media Gateway Control Protocol (MGCP) : UDP 2427,2727 Skinny Client Control Protocol (SCCP/Skinny) : TCP 2000,2001 Real-time Transfer Control Protocol (RTCP) : (S)RTP+1 Media Real-time Transfer Protocol (RTP) : Dynamic Secure Real-time Transfer Protocol (SRTP) : Dynamic Hybrid Inter-Asterisk exchange v.1 (IAX): UDP 5036 (obsolete) Inter-Asterisk exchange v.2 (IAX2) : UDP 4569

10 H.323 Protocol Suite & Ports Signaling H Call Parameters - Dynamic TCP H Q Call Setup - TCP 1720 RAS - UDP 1719 Audio Call Control - TCP 1731 RTCP - RTP Control - Dynamic UDP Media RTP - Audio - Dynamic UDP RTP - Video - Dynamic UDP

11 Audio Codecs DoD CELP Kbps GIPS Family Kbps and up ilbc - 15 Kbps, 20ms frames / 13.3 Kbps, 30ms frames ITU G Kbps (a.k.a. alaw / ulaw) ITU G / 56 / 64 Kbps ITU G / 6.3 Kbps, 30ms frames ITU G / 24 / 32 / 40 Kbps ITU G Kbps ITU G Kbps, 10ms frames LPC Kbps Speex to 44.2 Kbps, Free Open-Source codec

12

13 Generalized Attacks

14 Flooding Vulnerabilities: Most hard-phones have limited or underpowered hardware Protocols provide unauthenticated and unauthorized functions Attack: Flood the device with VoIP protocol packets: SIP INVITE, OPTIONS Bogus RTP media packets Flood the device with network protocol packets: TCP SYN ICMP Effect: Degraded call quality Device crash, halt, freeze, or respond poorly

15 Flooding Tools: Scapy - General purpose packet tool InviteFlood - SIP Invite flooder IAXFlood - IAX protocol flooder UDPFlood - General UDP flooder RTPFlood - RTP protocol flooder Mitigation: Protect your core network devices from external access Rate-limit VoIP traffic at points of control

16 Flood Amplification Vulnerabilities: Protocols provide unauthenticated functionality Some protocols use a connectionless transport (UDP) Attack: Spoof the source address of your packet as originating from your victim Spread the love around Invoke functionality that responds with more data than the request Effect: Smurf -like amplification flood

17 Flood Amplification Tools: Scapy - General purpose packet tool NetSamhain Nemesis Mitigation: Use a connection oriented transport (TCP) Authenticate protocol messages Rate-limit network traffic

18 Fuzzing Vulnerabilities: Protocol stack implementations are immature / poor Attack: Send malformed messages to a device s input vectors Effect: Many endpoint devices will crash, halt, freeze, respond poorly, or otherwise enter a DoS condition Some core devices may behave similarly Very effective method of identifying software bugs

19 Fuzzing Tools: Sulley Fuzzer PROTOS Suite - SIP, HTTP, SNMP ohrwurm - RTP Fuzzy Packet - RTP, built-in ARP poisoner Other tools Mitigation: Use open-source soft-phones and hard-phone firmware Demand resilient devices from your device vendor Ask about and review your vendor s QA processes

20 Attacks Against Signaling

21 Signaling Manipulation Overview Vulnerabilities: Protocols are unencrypted and unauthenticated Signaling extends to endpoint device Attacks: Inject malicious signaling messages into a signaling channel Send new signaling messages to endpoints or services Effects: Forced call tear-down DoS Media redirection, injection, or call hijacking Registration manipulation DoS / hijack

22 Forced Call Teardown Vulnerabilities: Most protocols are unencrypted and do not authenticate all packets The signaling channel can be monitored Attack: Inject spoofed call tear-down messages into the signaling channel such as: SIP: BYE IAX: HANGUP (Frame type 0x06, Subclass 0x05) Effect: DoS: A call in progress is forcibly closed.

23 Forced Call Teardown Tools: Teardown - SIP BYE injector sip-kill - Injects valid SIP teardown messages into a session sip-proxykill - Similar technique against SIP proxies IAXHangup H225RegReject Mitigation: Encrypt the signaling channel Authenticate every signaling message

24 Registration (Call) Hijacking Vulnerability: Signaling protocols are unencrypted Attack: Observe a legitimate endpoint registration Use observed information and credentials to replace the legitimate registration Observe a call-setup message Effect New calls for the endpoint are routed to the malicious device rather than the legitimate device

25 Registration (Call) Hijacking Tools Registration Hijacker Registration Remover Registration Adder RedirectPoison Mitigation Encrypt signaling traffic

26 Media Hijacking Vulnerabilities: Signaling protocols are unencrypted and unauthenticated Signaling extends to endpoint device Attack: Inject malicious signaling messages into a signaling channel Send new signaling messages to endpoints or services Effect: Media redirection, duplication, or termination

27 Media Hijacking Example

28 Media Hijacking Example

29 Media Hijacking Example

30 Media Hijacking Tools: sip-redirectrtp + rtpproxy Mitigation: Encrypt the signaling channel Fix protocols to authenticate ALL signaling messages related to a call

31 Caller-ID Spoofing Vulnerability: Protocols are un-authorized and un-verified end-to-end End-point supplied data is not challenged Many automated systems use Caller-ID information to authenticate users Attack: Initiate a call with falsified Caller-ID information Effect: An attacker may appear to the called party as someone they are not An attacker may be erroneously authenticated

32 Caller-ID Spoofing Tools: Most soft-phones Asterisk IPBX VoIP to PSTN service providers that honor usersupplied Caller-ID information - IAX/SIP VoIP Service provider - Calling-card based - For business use - Text to Voice prank messages! Mitigation: Don t honor user-supplied Caller-ID information Don t trust Caller-ID information for user authentication

33 Caller-ID Name Disclosure Vulnerability: Caller-ID Information can be spoofed PSTN switches add name information to Caller-ID Attack: Set your Caller-ID to the number you want to identify Call yourself so that the path of your call routes through the PSTN Receive the Caller-ID information which will have the name associated with the number Effect: Phone Number to Name Lookup Disclosure of potentially unlisted information

34 Caller-ID Name Disclosure Tools: Asterisk IPBX Most soft-phones VoIP to PSTN service providers that honor usersupplied Caller-ID information - IAX VoIP provider, use Asterisk! - Calling-card based - For business use - Text to Voice prank messages! PSTN Telephone Line w/caller-id Mitigation: Have the PSTN telephony provider remove the Caller- ID name associated with your number

35 Eavesdropping the Environment Vulnerabilities: Signaling extends to the endpoint devices Signaling is neither authenticated nor encrypted Attack: Send malformed call set-up signaling to a device Effect: Device silently answer the incoming call Audio from the device s environment may be eavesdropped

36 Eavesdropping the Environment Tools Grandstream GXV-3000 SIP Phone exploit: August/ html Other undisclosed devices have the same issue Mitigation Affected vendors need to patch their protocol stacks Devices with available patches need to be updated

37 Directory Enumeration Vulnerabilities: Protocols provide unauthenticated functionality Protocols respond differently to valid vs. invalid usernames Protocols are unencrypted on the wire Attack: Active: Send specially crafted protocol messages which elicit a telling response from the server Passive: Watch network traffic for device registration messages Effect: Valid usernames are disclosed Usernames may be used in a more targeted attack such as pass-phrase cracking.

38 Directory Enumeration Example Send this to target SIP device: OPTIONS SIP/2.0 Via: SIP/2.0/TCP ;branch=3afGeVi3c92Lfp To: test Content-Length: 0 Receive: SIP/ Not Found

39 Directory Enumeration Tools: SIPCrack - Sniffs traffic for valid usernames and then attempts to crack their passwords enumiax - Uses IAX REGREQ messages against Asterisk SIPSCAN - Uses SIP OPTIONS, INVITE, and REGISTER messages against SIP servers Mitigation: Encrypt signaling to prevent passive enumeration Fix protocols that respond differently to valid vs. invalid username registrations.

40 Attacks Against the Media

41 Media Injection Vulnerability Media channel packets are unauthenticated and unencrypted Attack: Inject new media into an active media channel Replace media in an active media channel Effect: Modification of media Replacement of media Deletion of media

42 Media Injection Example: RTP Real-Time Transfer Protocol UDP Transport Requisites: Able to observe a legitimate RTP session Adjust sequence numbers of injected packets so that they will arrive before legitimate packet Send away!

43 Media Injection Tools RTPInsertSound z RTPMixSound RTPInject (GUI) Mitigation Authenticate or verify received media packets Encrypt the media channel

44 Covert Communication Vulnerability Media channel packets are unauthenticated and unencrypted Attack: Manipulate an active media channel and embed covert communication data Extract covert communication data from an active media channel Effect: Send covert data using someone else s call media Receive covert data embedded into someone else s call media

45 MITM Covert Communication RTP RTP SteganRTP A RTP Endpoint B RTP Endpoint A SteganRTP B

46 Covert Communication Tools SteganRTP Vo 2 IP No longer available Mitigation Authenticate or verify media packets Encrypt the media channel (some protection)

47 Eavesdropping the Media Vulnerability: Media protocols are usually un-encrypted on the wire Media traffic can be observed and recorded Attack: Observe / Record the media packets Reconstruct the payload into an easily playable media file Effect: Calls are not private!

48 Eavesdropping Example: RTP

49 RTP Eavesdropping

50 RTP Eavesdropping

51 RTP Eavesdropping

52 Eavesdropping the Media Tools: Ethereal / W ireshark Cain & Abel Vomit - Targets Cisco devices Etherpeek VX Mitigation: Encrypt the media channel

53 Attacks Leveraging the Underlying Network

54 Configuration Disclosure: Infrastructure Vulnerability: Most hard-phones use FTP or TFTP when booting FTP is an insecure protocol TFTP is an even more insecure protocol Attack: FTP: Observe the device s login credentials TFTP: Guess or observe filenames Grab the configuration file and firmware from the server Or just reconstruct the firmware / configuration file from observation Effect: Disclosure of sensitive information such as: Usernames / Passwords Call Server, Gateway, Registration Server, etc. Available VoIP services

55 Configuration Disclosure: Infrastructure Tools: Ethereal / Wireshark Deductive Reasoning Cisco phones have MAC based filenames: CTLSEP<eth.addr>.tlv SEP<eth.addr>.cnf.xml SIP<eth.addr>.cnf MGC<eth.addr>.cnf Then there s defaults: XMLDefault.cnf.xml SIPDefault.cnf dialplan.xml TFTP-Bruteforce - Brute forces TFTP filenames Mitigation: Don t use TFTP! FTP is better, but still not secure... Use non-default filenames

56 Attacks Against Endpoint Services

57 Configuration Disclosure: Device Vulnerability: Hard-phones provide management interfaces VXWorks remote debugging and console port open Attack: Point a browser at the device on port 80 SNMP-walk the device Attach a remote VXWorks debugger Effect: Disclosure of sensitive information such as: Usernames / Passwords Call Server, Gateway, Registration Server, etc. Available VoIP services Device internals

58 Configuration Disclosure: Device Tools: Web Browser - Connect to port 80 SNMPwalk - retrieve a subtree of management values VXWorks debugger (GDB) Mitigation: Disable device admin ports like HTTP and SNMP Disable remote debugging ports

59 Web Management Interface XSS Vulnerability Devices don t sanitize input / web output Device web management apps display log and message data Attack Embed XSS code into a signaling message Send crafted message to target device Wait for user to display logs/message via the device s web interface Impact Cross-Site-Scripting code execution Potential traversal of trust boundaries

60 Web Management Interface XSS Tools: Any VoIP device with user-configurable display fields Example: October/ html Mitigation: Don t use device web management interfaces Demand more secure protocol stacks from your device vendors

61 Vendor-Specific Attacks

62 Vendor-Specific Attacks Cisco

63 Cisco IP Phone Forced Reboot Vulnerability: SCCP runs on TCP which is vulnerable to reset attacks If a phone s signaling channel is terminated this way the phone performs a full reboot As of firmware 8.0(7.0) (most recent for 7940, not avail) Public Disclosure: 04/20/ Attack: Inject a RST packet into the signaling channel Effects: The IP phone performs a full reboot Service is unavailable while doing so

64 Cisco IP Phone: Forced Reboot Tools: tcpkill - Sniffs network traffic for a TCP session and injects RST packets to forcibly close the connection Vendor Response: 04/20/ Summary: Fixed adhering to version 2 of Result: Attack is slightly harder but not much. Phone still reboots. Mitigation: The device should re-establish the session rather than performing a full device reboot. (like when you prompt a RST via an ICMP destination/protocol unreachable (Type 3, Code 2) attack against the CCM (BID:12134))

65 Vendor-Specific Attacks FiWin

66 SS28S Debug Console Hard-coded Credentials Vulnerability VxWorks debug console open via Telnet VxWorks credentials hard-coded to user 1 and pass 1 As of firmware 01_02_07 (current as of 10/24/06) Public Disclosure: 09/22/06 VoIP-SIPSkype-Phone/ BID: Attack Telnet to the phone on port 23 Authenticate with username 1, password 1 Effects Device configuration disclosure Authentication credentials disclosure DoS via memory corruption, disk format/corruption

67 SS28S Debug Console Hard-coded Credentials Tools Telnet client Vendor Response Notified 09/15/06 by Zachary McGrew, no response. Notified 09/26/06 by myself, no response. Mitigation Issue the td ttelnetd command within the VXW orks console Update the firmware No updated firmware available Requires proprietary USB cable that you can only get from FiWin They apparently don t sell it!

68 Issues With Mitigation

69 Encrypt the Media Channel Many deployed devices don t support SRTP Many new devices won t support SRTP yet No standard way to negotiate or send keys Some methods for keying utilize the unencrypted signaling channel anyway ZRTP: DH Key Negotiation within the media channel May use IPSec or TLS, but...

70 Encrypt the Signaling Channel There is also no standard way to do this Alternatives to encrypting the signaling protocol itself include: IPSec to encrypt at the network layer Not scalable Issues with call set-up times TLS to encrypt at the transport layer Not end-to-end Issues with trust; no global PKI New protocol: DTLS!

71 Authenticate All Signaling Messages Requires that you update/fix the protocols The nature of VoIP requires that unknown parties be able to initiate sessions Can potentially wrap the protocol in an authenticating transport like IPSec or TLS

72 Fix the Protocols Not an immediate solution More time consuming with open / standards based protocols You have to convince a committee there is a problem Deliberation takes time May be faster / easier with proprietary protocols But you have to convince the vendor there is a problem

73 Don t Trust Caller-ID Unfortunately, users have been trained to believe that Caller-ID is trustworthy Caller-ID should be trustworthy Will take time to educate users

74 Use open-source soft-phones / firmware Unfortunately, most open-source softphones also have poor protocol stacks But at least you can: Audit the code Report problems to the maintainers As far as I m aware, there is no open source firmware for hard-phones Most are vendor-proprietary

75 Demand Resilient Vendor Devices Vendors aren t motivated to improve device security Some devices in this area are getting better Phones are limited by their hardware

76 Rate-limit Offensive Traffic Low-rate floods still effective! (just differently) Low-rate floods look like legitimate traffic Media doesn t like latency

77 Don't use TFTP! (or FTP) Most vendor VoIP systems don t provide an alternative

78 Conclusions

79 Q&A